| Malware family | PureLog Stealer (delivered by the Veil#Drop framework) |
| Threat actor | Not attributed by Securonix |
| Targets | Windows users; victim count not disclosed |
| Delivery vector | Malicious JavaScript disguised as a document, spread through compromised websites |
| Key capabilities | Steals browser credentials, cookies, session tokens, and crypto wallets; profiles the host |
| Source | Securonix Threat Research |
TL;DR
Securonix Threat Research named a new fileless campaign Veil#Drop. The attack hides a JavaScript file as a document, then runs PowerShell loaders from Google’s Blogspot to drop PureLog Stealer directly in memory. Because nothing lands on disk, the chain slips past many antivirus and file-based tools.
How the attack starts
The Veil#Drop malware starts with a booby-trapped JavaScript file. Attackers give it a document-style name, for example transcript.pdf.js. Windows hides known extensions by default, so the victim often sees only “transcript.pdf.” As a result, the file looks harmless.
When the user double-clicks it, Windows Script Host runs the script. The script then launches PowerShell with execution policy checks disabled. Securonix calls this file a “lightweight launcher,” since its only job is to pass control to PowerShell. The report labels the naming trick “multi-extension masquerading.”
Attackers also spread these files through hacked websites instead of their own servers. Therefore, the download blends into normal web browsing and avoids many domain-reputation filters.

Inside the infection chain
Trusted cloud staging
Once PowerShell runs, it pulls the next stage from an attacker-controlled Blogspot page. Blogspot belongs to Google, so the traffic looks trusted. That choice helps the campaign dodge reputation-based detection.
Each stage handles one task, then hands off to the next. First, the loader downloads a decoy webpage to reassure the victim. Next, it deletes the original .js file and stops selected processes. After that, it decrypts a hidden payload with a custom XOR routine.
Fileless .NET execution
Later stages rebuild .NET assemblies from encoded decimal data. The malware then loads them straight into memory using .NET reflection. Because no executable touches disk, static scanners have little to inspect.
If reflection fails, the loader switches to trusted Microsoft tools such as RegSvcs, InstallUtil, and MSBuild. These living-off-the-land binaries run the code while looking like routine admin activity. The loader tries each option in turn until one works.
The malware also changes shape on every run. It builds each Blogspot URL with a random number of slashes, and it swaps placeholder text for random strings. As a result, file hashes and URL patterns shift each time. Static signatures then struggle to keep up.
What PureLog Stealer takes
The final payload is PureLog Stealer, a .NET infostealer sold on underground forums since 2022. Researchers link the tool to a developer known as PureCoder, who also sells related malware. Because it runs as a paid service, many low-skill actors can use it.
On the victim’s machine, PureLog harvests browser passwords, cookies, session tokens, autofill data, and history. It targets Chrome, Edge, Firefox, Brave, and Opera. Stolen session cookies pose a real danger, since attackers can replay them to bypass multi-factor authentication.
The stealer also hunts crypto wallets, including MetaMask, Exodus, and Trust Wallet. In addition, it profiles the host and records the computer name, operating system, and running processes.
Command-and-control and data exfiltration
After collection, PureLog packages the stolen data and sends it to remote command-and-control infrastructure. The transfer usually runs over encrypted channels, which hides it inside normal HTTPS traffic. Attackers then reuse or sell the credentials for fraud, account takeover, and wider network access.
For safety, we do not republish the campaign’s live command-and-control addresses or any runnable commands. Defenders should instead focus on the behavior described here and pull machine-readable indicators from the primary report.
The damage often spreads past one machine. A single browser profile may hold VPN logins, Microsoft 365 sessions, or cloud tokens. With those in hand, attackers can move laterally, sell access, or stage ransomware later. So one quiet infection can seed a much larger breach.
Attribution and victim scope
Securonix has not tied Veil#Drop to a named group. Therefore, attribution remains open and unconfirmed. The report also does not give a victim count, so the scale stays unclear. Still, PureLog’s low price points to broad, opportunistic use rather than one dedicated actor.
How to detect and defend against Veil#Drop malware
Start with the process chain. A wscript.exe process that spawns powershell.exe is an early red flag. Also flag PowerShell that pairs Invoke-RestMethod with Invoke-Expression, especially alongside execution policy bypasses.
Next, turn on PowerShell script block logging, because memory-only attacks leave traces there. Watch for outbound traffic to Blogspot right after script execution. Finally, alert when trusted .NET binaries such as InstallUtil or MSBuild load unusual assemblies.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.